Deepviz Endpoint Client Beta release

[Deepviz]

thank you for your swift reply and for your offer, i will contact you.

i am a Real-Time signature-based skeptic by nature, however some things would let me install a signature AV again:

1- light on resources
2- very very few Fps
6- total control of the applications and settings.

Can you give us some infos about those 3 points and your product?

This is really a good question, thanks!

Deepviz is not based on signature, we try to keep ourselves as much far as possible from this approach, I think there are already solid solutions and AV out there that use a signature based approach, the world doesn't really need another player playing the same game.

Deepviz analyzes PE files as well as PDF and OLE files (only PE files on the Endpoint Client) thanks to our cloud malware analysis engine, we then extract from the analysis their behaviour as well as static metadata (network activities, packets, code injection, strings from dumped memory etc...) and we match them against our threat intelligence database. Here what happens is:

- We have a set (400+ dynamic rules) to identify malicious activities and thus automatically identify malware
- We have a machine learning AI classifier acting as a second opinion classifier if the above rules don't show anything clear
- We correlate in realtime all the metadata and behavioral information we extracted from the analysis against what we already have in our database. By doing so, we can find malware families and identify similar samples even if they are repacked or slightly modified (this last feature is available only ondemand when you dig into our threat intelligence database, but will be included in the set of automatic determination rules used to automatically find and mark new malware). It's a self-learning database, the more data we inject into it, the better it will perform

Everything is executed in our backend, thus the client itself is very light on the system. Suspicious files are automatically uploaded to our cloud infrastructure and the result is pushed back to the client. During our internal beta we had good feedback about people almost getting infected by ransomware and alerted by our Endpoint Client where the installed AV didn't see anything at all.

Regarding application control: users will be able to enable/disable realtime monitoring, enable/disable the automatic sample upload (if disabled, the client will only check files against our database but it won't find anything if we don't have already such sample), eventually decide whether the client should prevent file execution or simply monitoring the system (not available yet, the client is only a monitor right now).

The very nice thing about our endpoint client is the centralized cloud-based management console at Deepviz - Endpoint Protection where you can monitor all the endpoints you registered with your API key and check whether they are infected, what malware has been found, deploy specific configurations to the client (not available yet), deactivate registered endpoints and thus free seats.

About false positives: nobody is really FP-free, nor we are, I'd be cheating if I say we are totally FP-free. Our technology is being improved everyday and we will be able to improve it even thanks to your reports and feedbacks. This is the reason why if you find false positives or anything that doesn't work as expected, please don't hesitate and contact me. We will add a local feature to the client where you can right click on files wrongly determined as malware and automatically alert our research team - our engineers will take care about your report and fix it as soon as possible.

I really hope I have provided you with a good understanding of our approach and technology. If not, please keep asking, I'm monitoring this thread and I will try to do my best to reply here as quick as possible.

Thanks!

 

[Deepviz]

Hi @Deepviz

I have some Questions about your program

1. Will it be free or paid after the Beta/RC testing
2. Any infos for the multilanguage Version of it
3. Wich Engines did you use. Can you add the Engines to virustotal, virscan.org, herdprotect, metascan and to virusimmune and to opswat please

With best Regards
Mops21

Thanks for your questions!

1. It's a bit too early to be discussed as we're at our first public BETA yet - however we're definitely thinking about a free tier for private non-commercial use

2. Until we're close to the final build we will support English only, but the client is already designed to support multilanguage

3. We have our own in-house developed engine, it's a cloud-based infrastructure which runs and analyze the files catched on the client. If you want to upload files yourself manually you can go to Deepviz - Analyze . Yes, we're planning to have our engine added to the list of websites you listed, it will take some time but technically speaking it's feasible even today

Hope I answered your questions!

 

[Deleted member 178]

Just another one, what is this coupon-credit thingy of yours ?

 

[Deepviz]

Just another one, what is this coupon-credit thingy of yours ?

Right, forgot about giving explanation!

All users who registered an account for free at Deepviz, installed the endpoint client and giving us support by using it and giving us their feedback can contact us at Deepviz Customer Support (or me, here by PM) , open a ticket asking for a free coupon for our Deepviz pay-as-you-go Small plan (Deepviz - Account). You will get free credits to be used within our Deepviz platform, our threat intelligence database, download samples, to script our APIs into your code and integrate Deepviz

 

[Deleted member 178]

Still more mysterious to me after reading the page, i'm too used to the basic yearly/lifetime type of licenses

so let say i have a coupon for the" pay-as-you-go" plan.

- For how long i can use Deepviz ?
- in how many machine i can install it?
- since i do lot and lot of testing, i often rollback/clean-reinstall my OS, may my behavior will have bad effects on my "license"?

by the way, what are those "credits"?

 

[Mops21]

Thanks for your questions!

1. It's a bit too early to be discussed as we're at our first public BETA yet - however we're definitely thinking about a free tier for private non-commercial use

2. Until we're close to the final build we will support English only, but the client is already designed to support multilanguage

3. We have our own in-house developed engine, it's a cloud-based infrastructure which runs and analyze the files catched on the client. If you want to upload files yourself manually you can go to Deepviz - Analyze . Yes, we're planning to have our engine added to the list of websites you listed, it will take some time but technically speaking it's feasible even today

Hope I answered your questions!

Thank you very much for your answers i will test it soon i think

With best Regards
Mops21

 

[DardiM]

(1) "This is the reason why if you find false positives or anything that doesn't work as expected, please don't hesitate and contact me"
What is better, posting in this Thread ? or by PM ? Support forum ?

For the first FP, I post here

- Windows 10 Pro 64-bit
- Several Drives Protected by Bitlocker

"C:\Windows\System32\fvenotify.exe" => Bitlocker Drive Encryption Notification Tool (not sure the words are in the right order )



From the Report :
Analysis status failed: the executable is corrupted or our environment is not able to start the process, yet.

(2) I run a second scan after the first ended :

On "Real-time monitor", it's now at more than 4334 files scanned.
But in the "on demand" panel, for at least one hour now, it shows 299/302, and seems to be blocked on fvenotify.exe




Regards,
@DardiM

 

[DardiM]

Since my last Post, I ran several "On demand scan" (Real-time monitoring activated) : no more FP

 

[Deepviz]

(1) "This is the reason why if you find false positives or anything that doesn't work as expected, please don't hesitate and contact me"
What is better, posting in this Thread ? or by PM ? Support forum ?

For the first FP, I post here

- Windows 10 Pro 64-bit
- Several Drives Protected by Bitlocker

"C:\Windows\System32\fvenotify.exe" => Bitlocker Drive Encryption Notification Tool (not sure the words are in the right order )

View attachment 106929

From the Report :
Analysis status failed: the executable is corrupted or our environment is not able to start the process, yet.

(2) I run a second scan after the first ended :

On "Real-time monitor", it's now at more than 4334 files scanned.
But in the "on demand" panel, for at least one hour now, it shows 299/302, and seems to be blocked on fvenotify.exe

View attachment 106932


Regards,
@DardiM

Since my last Post, I ran several "On demand scan" (Real-time monitoring activated) : no more FP

Hi DardiM,

thanks for your feedback and sorry for the delayed answer! Yes, we have our research team who's costantly checking results and potential false positives.

In the next release of our Client you'll be able to right click on the wrong detection and automatically report it to us

 

[Mops21]

Hi @Deepviz

I have four Questiforons for you

1. Can you add or post for each other new releases a Changelog please

2. Is a right click scan available for Files and Folders

3. And when will you release the Final Version.

4. Did you plan a RC before the Final Release

With best Regards
Mops21

 

[Deepviz]

Still more mysterious to me after reading the page, i'm too used to the basic yearly/lifetime type of licenses

so let say i have a coupon for the" pay-as-you-go" plan.

- For how long i can use Deepviz ?
- in how many machine i can install it?
- since i do lot and lot of testing, i often rollback/clean-reinstall my OS, may my behavior will have bad effects on my "license"?

by the way, what are those "credits"?

You're right, it's not clear

Deepviz isn't just the Endpoint Client we're talking about in this thread. Deepiz is a full-featured threat intelligence platform as-a-service, which includes:

- Deepviz Malware Analysis Engine service, where you can upload your files manually and get back the analysis report
- Deepviz Threat Intelligence Database, where you can search for domains, IPs, find malware connecting to specific hosts, find similar samples etc...
- Deepviz Search Engine, a free-text search engine where you search for something related to a malware (filename, string inside malware, IP, domain) and it'll come back with the informations you need
- Deepviz APIs, a full set of RESTful APIs to integrate our above listed services with existing tools and platforms. We also provide users with a ready-to-go plug&play libraries written in Python/C/C++/java/Ruby for easier integration

We have subscription plans for SMB and enteprise but we wanted to provide home users / single researchers with a pay-as-you-go credits system to use our platform which means 1 credit / 1 action.

e.g. if you buy the pay-as-you-go small plan, you get 10 Intel queries, which means you can do 10 threat intelligence queries from our Seach Engine and/or Threat Intelligence database

Deepviz Endpoint Client is a new product which is based upon the Deepviz platform infrastructure, credits are not related to this product of course.

Regarding your questions:

- For how long i can use Deepviz ? Until we're in beta you can use it as long as you want. After the beta is over, we still have to figure out the plans but forsure there will be a feature-limited free plan

- in how many machine i can install it? A single API key allow you to install the endpoint client on up to 3 machines for free

- since i do lot and lot of testing, i often rollback/clean-reinstall my OS, may my behavior will have bad effects on my "license"? It shouldn't if the underlying PC is always the same. Though a real test on your side would definitely help us

Hope I explained whole picture a bit better now If not, please keep asking and I'll try to be as much clear as possible.

Best regards!

 

[Deepviz]

Hi @Deepviz

I have four Questiforons for you

1. Can you add or post for each other new releases a Changelog please

2. Is a right click scan available for Files and Folders

3. And when will you release the Final Version.

4. Did you plan a RC before the Final Release

With best Regards
Mops21

1. Yes, I will definitely!
2. Not yet, but it's on the roadmap
3. Not scheduled yet, we're working hard
4. Yes, there will be RC releases before the Final build

Thanks!

 

[Mops21]

1. Yes, I will definitely!
2. Not yet, but it's on the roadmap
3. Not scheduled yet, we're working hard
4. Yes, there will be RC releases before the Final build

Thanks!

Ah okay thank you very much for your Infos and for your answers. I have anotherione question for you

1. Have the program a Updatefunction to update the program into it

With best Regards
Mops21

 

[Deepviz]

Ah okay thank you very much for your Infos and for your answers. I have anotherione question for you

1. Have the program a Updatefunction to update the program into it

With best Regards
Mops21

Autoupdate feature is already implemented as well as manual update under Settings - Updates

 

[Mops21]

Autoupdate feature is already implemented as well as manual update under Settings - Updates

Ah okay thank you much again

With best Regards
Mops21

 

[Mops21]

Hi @Deepviz

Here are 2 Questions for you

1. I need to register to use the program so

2. Are the pros and cons of a registration

With best Regards
Mops21

 

[Deleted member 178]

ok so i installed Deepviz on my main machine (Win10 x64 Home), entered my API key , so there are my observations:

The Good:

- Very clean and lean interface , no fancy stuff, not complicated, good job on it
- Scan speed is decent , not too long , not too slow
- resource impact is moderate, around 60mb (when idle), 90mb (during scan)for 2 processes.
during scan:

The Bad:

- Way too much FPs, and from well known products.
- no Whitelist/Exception feature in the GUI. (maybe it is on the dashboard but i don't see where ^^)
- cannot self-whitelist a process/dll

What should be fixed/improved for the next build

- the software doesn't registered itself in the start menu
- the user should be able to export a log file from the GUI
- in the advanced tab , the scroll button is too small.
- the user should be able to copy-paste the entries in the advanced view

the False Positives i had:

C:\Program Files\Shield\ShdServ.exe (from Rollback RX - Horizondatasys)
C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe (from Softether VPN - Softether)
C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe (from Softether VPN - Softether)
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe (from Zemana Anti-malware - Zemana)
C:\Windows\SysWOW64\hmpalert.dll (from HitmanPro Alert- Surfright)
C:\Windows\System32\RCoInstII64.dll (From Realtek Semiconductor Corp )


Overall it seems a good product, improvements especially for the False Positives have to be made as well as adding some usability features.

Questions:

Now, i have Deepviz telling im infected (because the above FPs) , how i revert to normal status? should i wait the sample being whitelisted?

Observations:

I cannot install it on Virtual Box, the guest is Win7U x64; and Win7 says "error starting service " then say the driver is unsigned so it refuses it to be installed.

 

[Deepviz]

ok so i installed Deepviz on my main machine (Win10 x64 Home), entered my API key , so there are my observations:

The Good:

- Very clean and lean interface , no fancy stuff, not complicated, good job on it
- Scan speed is decent , not too long , not too slow
- resource impact is moderate, around 60mb (when idle), 90mb (during scan)for 2 processes.
during scan:

The Bad:

- Way too much FPs, and from well known products.
- no Whitelist/Exception feature in the GUI. (maybe it is on the dashboard but i don't see where ^^)
- cannot self-whitelist a process/dll

What should be fixed/improved for the next build

- the software doesn't registered itself in the start menu
- the user should be able to export a log file from the GUI
- in the advanced tab , the scroll button is too small.
- the user should be able to copy-paste the entries in the advanced view

the False Positives i had:

C:\Program Files\Shield\ShdServ.exe (from Rollback RX - Horizondatasys)
C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe (from Softether VPN - Softether)
C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe (from Softether VPN - Softether)
C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe (from Zemana Anti-malware - Zemana)
C:\Windows\SysWOW64\hmpalert.dll (from HitmanPro Alert- Surfright)
C:\Windows\System32\RCoInstII64.dll (From Realtek Semiconductor Corp )


Overall it seems a good product, improvements especially for the False Positives have to be made as well as adding some usability features.

Questions:

Now, i have Deepviz telling im infected (because the above FPs) , how i revert to normal status? should i wait the sample being whitelisted?

Observations:

I cannot install it on Virtual Box, the guest is Win7U x64; and Win7 says "error starting service " then say the driver is unsigned so it refuses it to be installed.

Thanks!! Your feedback is really appreciated!

Let me address some of your points:

- Resource impact will be lowered down as soon as we have optimized some internal mechanisms, it's still in "debug" mode thus eating a bit more system resources;

- About false positives, we're working hard to shape our detections And thanks to your reports we will be able to do it even better - we will add a right-click feature to report false positives

- Whitelisting/Exclusion list: it's on the roadmap, we will add it very soon

- Didn't the software start at system startup? This is really weird Can you argument this a bit more to let me understand what did you see, how did you make it working, your observations?

- Thanks for the UI hints, I'll pass them on to our UI engineer!

- About Windows 7 x64, it is probably an updated build of Windows 7 x64. Sadly WIndows 7 is quite old and there's an incompatibility between the new digital certificates and the OS support to SHA-2 algorithms. Windows 7 x64 doesn't support SHA-2 certificates unless it's full up to date, or until you don't install this OS patch https://support.microsoft.com/en-gb/kb/3123479

- Regarding restoring the system status: yes, at the moment you need to wait for us to fix the false positives (which is something we're going to do now). When whitelisting will be active, then you don't need to wait anymore.

Hope I addressed all your questions

Cheers!

 

[Deleted member 178]

Thanks!! Your feedback is really appreciated!

You are welcome

- Resource impact will be lowered down as soon as we have optimized some internal mechanisms, it's still in "debug" mode thus eating a bit more system resources;

ok i see now, i wondered why so much for a simple GUI

- About false positives, we're working hard to shape our detections And thanks to your reports we will be able to do it even better - we will add a right-click feature to report false positives
- Whitelisting/Exclusion list: it's on the roadmap, we will add it very soon

good to know

- Didn't the software start at system startup? This is really weird Can you argument this a bit more to let me understand what did you see, how did you make it working, your observations?

it start, but no shortcut to start it in the Start Menu program list.

- Thanks for the UI hints, I'll pass them on to our UI engineer!

No problemo

- About Windows 7 x64, it is probably an updated build of Windows 7 x64. Sadly WIndows 7 is quite old and there's an incompatibility between the new digital certificates and the OS support to SHA-2 algorithms. Windows 7 x64 doesn't support SHA-2 certificates unless it's full up to date, or until you don't install this OS patch https://support.microsoft.com/en-gb/kb/3123479

oh indeed, i remember now the certificate changing made by MS. I installed in my VM an iso of Win7 SP1, maybe this patch was already included.

- Regarding restoring the system status: yes, at the moment you need to wait for us to fix the false positives (which is something we're going to do now). When whitelisting will be active, then you don't need to wait anymore.

ok it is what i guessed.

Hope I addressed all your questions

yes thanks

 

[Andytay70]

Good questions asked @Umbra!